When experts claim the sky is falling, we point out that you're just looking at the ground.

Thursday, March 4, 2010

Treatment and privacy: not a zero-sum game

Last week, an article in the New York Times' Health section quoted Dr. Cara Litvin on electronic medical record privacy:

Privacy concerns have been the main deterrent to “wiring” medical records. But Dr. Litvin notes that the information is password-protected, and that insurers and employers would not have access to a patient’s electronic medical record unless the patient authorized it. “The benefits to providing quality medical care way outweigh any privacy issues,” she said.

Statements like that are catnip to privacy researchers. Dr. Litvin deserves the benefit of the doubt with respect to her intentions, but the notion that high-quality care and privacy are opposed to each other -- as her statement suggests -- is worth some critical consideration.

It's easy to see things from a doctor's perspective. A doctor's mandate is to heal, and in life-and-death cases, ease of access to patient records can make a critical difference. Measures meant to provide privacy should not hinder treatment in such cases; a patient whose life is at stake would probably agree. A fundamental principle is that the person providing critical care should not be stymied by technological obstacles.

But let's consider cases that don't involve life-and-death urgency. These cases are the more interesting ones from a privacy perspective, and the guiding principle of privacy mechanism design here is more slippery. It's something like this: the person providing care should have access to the information that is relevant to her decisions; nobody else should have any more information than is absolutely necessary for administrative purposes. Privacy measures are meant to protect patients from electronic security breaches -- i.e., from the sorts of problems that arise when intruders harvest lots of records at once, or when a determined attacker obtains one or more specifically chosen records. If we don't do a good enough job implementing security and privacy, such breaches can result in the permanent, irrevocable exposure of information pertaining to people who do not want that information to be public. Patients deserve high-quality care and data privacy.

Electronic medical record breaches open the door to new kinds of discrimination. Imagine a healthy person losing a job opportunity because her family history suggests an elevated risk of a debilitating disease. Imagine embarrassing disclosures based on prescription drug
information. Imagine insurers -- let's assume for a moment that not every insurer is scrupulous -- basing payment decisions on information they are not legally allowed to see. Designing mechanisms to defend against such breaches is an area of activeresearch whose heyday is approaching.